corillo181 Posted November 1, 2007 Share Posted November 1, 2007 which is the best way to assign a cookie to continue a session when the user comes back? my whole website is base on session i don't want to go around change everything to evaluate to cookies. Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 1, 2007 Share Posted November 1, 2007 you can read the following http://www.evolt.org/article/comment/17/60265/index.html Quote Link to comment Share on other sites More sharing options...
corillo181 Posted November 3, 2007 Author Share Posted November 3, 2007 i was looking at that code and maybe i'm wrong but if i do it that way, the users are able to modify cookies so if a user were to modify his cookie with another user name it would log in that user with that user name. so it doesn't look safe. or is this the best way to do it? i wouldn't know I'm going with my instincts here. Quote Link to comment Share on other sites More sharing options...
corillo181 Posted November 3, 2007 Author Share Posted November 3, 2007 no input on that? Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 3, 2007 Share Posted November 3, 2007 well you can encrypt the login id Quote Link to comment Share on other sites More sharing options...
Azu Posted November 6, 2007 Share Posted November 6, 2007 If you want your login system to be secure then you probably shouldn't store anything related to login on the client-side. Instead handle it server side (MySQL). This makes it almost impossible for there to be a security problem (unless of course someone has directly access to the victim's computer.. in which they are screwed no matter WHAT kind of login system you use). This will basically mean that it will be impossible to steal sessions (or cookies through javascript attacks). Quote Link to comment Share on other sites More sharing options...
corillo181 Posted November 6, 2007 Author Share Posted November 6, 2007 so it would be a good idea to use 2 cookies one with the user id and the other one with a random number that way when the user comes back i check the id and the random number in mysql? Quote Link to comment Share on other sites More sharing options...
revraz Posted November 6, 2007 Share Posted November 6, 2007 If it gives them the same access as if it read their password, then that would be no different than storing their ID/PW. Quote Link to comment Share on other sites More sharing options...
corillo181 Posted November 6, 2007 Author Share Posted November 6, 2007 oh i see what you mean. alright. if the password is encrypted there is no way they be able to guess the other user password. Quote Link to comment Share on other sites More sharing options...
revraz Posted November 6, 2007 Share Posted November 6, 2007 In another post, someone made a good suggestion. Store the uid and the users IP address. If they return from the same IP, then its a safe bet its the same person. If it's a different IP, then make them re-log back in. Yes it's a hassle for those that are on dial up or other services that change IPs often, but it sure makes it more secure. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.